Heather,
I just looked at your IdP from FF and from IE7. I'd say that you have two problems.
1) As Fiona says, it is prompting for a certificate which it shouldn't be.
2) You definitely do not have the intermediate certificate (examine the certificate in firefox and you will see that).
So you should turn off the asking for a client cert - that should shut IE up. As I said earlier, pushing the intermediate cert depends on your deployment.
Fiona tells me that the Apache incantation is:
SSLCertificateChainFile /home/shibb/certs/sureserverEDU.pem
If you are not fronting with apache then things get rather more interesting (Chinese sense)...
Rod
----- Original MessageI -----
From: "Heather Peake" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, July 24, 2008 3:48 PM
Subject: Re: Certificate issue FireFox 3 & IE 7
No your aren't missing anything.
Firefox 3 complains about the certificate but lets you in if you choose
exception. IE7 (recently updated) just tells you the page cannot be
displayed and I'm guessing a certificate issue. It used to let you in
but that was before we updated IE.
It was all apparently fine on FireFox2 and an older update of IE.
I'll check out the list you suggest and see what happens.
Thanks
Heather Peake
VLE Development Co-ordinator
Tel 01623 627191 ext 2292
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Fiona Culloch
Sent: 24 July 2008 14:46
To: [log in to unmask]
Subject: Re: Certificate issue FireFox 3 & IE 7
> Our IDP works - in that it lets us log into particular resources.
> However when I upgraded to FireFox3 as my browser it started throwing
up
> problems with the certificate but if you click allow exception it
works
fine.
Hi Heather, not sure about that bit but...
> IE 7 appears to be having an issue now but not actually telling us it
is a
> problem with the certificate.
Maybe I'm missing something but when I go to an SP and choose
"West Nottinghamshire College" from the WAYF, using IE7, it takes me
to the login page and doesn't complain about the certificate.
It does put up an (empty) "choose a Digital Certificate" dialogue box
first. That's usually a sign that port 443 is configured in the web
server to require client certificates, which it shouldn't be in most
cases.
It's the _other_ port that Shibboleth uses (usually 8443) that has
to be configured with SSLVerifyClient optional_no_ca (which brings
up the dialogue), but users shouldn't actually see that port at all.
(Some of the discussion in the "Re: shibboleth 2.0 idp/sp" thread may
therefore also be relevant to you).
Fiona.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Awarded Outstanding (Grade 1), across the board, by Ofsted July 2008.
"Excellent employer engagement...Imaginative and highly effective approach to social inclusion...Excellent communication, high staff morale and visionary leadership"
This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you have received this e-mail in error please notify the originator of the message. This footer also confirms that this e-mail message has been scanned for the presence of computer viruses.
Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of West Nottinghamshire College.
Scanning of this message and addition of this footer is performed by SurfControl E-mail Filter software in conjunction with virus detection software.
West Nottinghamshire College,Derby Road, Mansfield, Nottinghamshire, NG18 5BH.
Tel: 01623 627191 URL: http://www.wnc.ac.uk VAT No: 593 475 93
|